{"id":"CURL-CVE-2022-35260","summary":".netrc parser out-of-bounds access","details":"curl can be told to parse a `.netrc` file for credentials. If that file ends\nin a line with consecutive non-white space letters and no newline, curl could\nread past the end of the stack-based buffer, and if the read works, write a\nzero byte possibly beyond its boundary.\n\nThis does in most cases cause a segfault or similar, but circumstances might\nalso cause different outcomes.\n\nIf a malicious user can provide a custom netrc file to an application or\notherwise affect its contents, this flaw could be used as denial-of-service.","aliases":["CVE-2022-35260"],"modified":"2026-04-25T20:38:36.777162Z","published":"2022-10-26T08:00:00Z","database_specific":{"last_affected":"7.85.0","affects":"both","award":{"currency":"USD","amount":"480"},"CWE":{"id":"CWE-121","desc":"Stack-based Buffer Overflow"},"issue":"https://hackerone.com/reports/1721098","URL":"https://curl.se/docs/CVE-2022-35260.json","package":"curl","www":"https://curl.se/docs/CVE-2022-35260.html","severity":"Low"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.84.0"},{"fixed":"7.86.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"eeaae10c0fb27aa066fdc296074edeacfdeb6522"},{"fixed":"c97ec984fb2bc919a3aa863e0476dffa377b184c"}]}],"versions":["7.85.0","7.84.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-35260.json","vanir_signatures_modified":"2026-04-25T20:38:36Z","vanir_signatures":[{"id":"CURL-CVE-2022-35260-160145d4","source":"https://github.com/curl/curl.git/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c","signature_version":"v1","digest":{"line_hashes":["180427015040107051142020780991285257601","12266610536744085025426950927789246656","239996747545646643857373774366118206214","155731445442491039909521538273623993567","13387141666045107090636801487925201828","236656013171553531523123233181236102705","291370677559807464361649642919627712906","189498903837610303202040316232963631453","336093627987848099735496758689677859858","281586029754934110310274338936161049042","49602197324668631132655678939136460433","147192411820326919159921496268724779251"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"lib/netrc.c"}},{"id":"CURL-CVE-2022-35260-42bd6a15","source":"https://github.com/curl/curl.git/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c","signature_version":"v1","digest":{"line_hashes":["270365102834818624247507427346324617966","215529985526274021885683770136614352972","56969867792278034327518773244213351659","40181591141037536283781885935929912616","106575340799568553470923334291638780737","293921489964482779306311867020551921762"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"lib/curl_get_line.c"}}]}}],"schema_version":"1.7.5","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}